NETSCOUT Threat Intelligence Report: Attention! Cybercriminals are increasingly focusing on your entire connectivity chain!
by Svenja Koch
Attacks on VPNs and the connectivity chain on the rise
NETSCOUT's Threat Intelligence Report looks at the number of cyberattacks on the connectivity chain in the first half of 2021, with around 46,000 such attacks recorded during this period. This represents a significant increase in the activity of cybercriminals compared to the same period last year. Attacks on VPNs are in particular focus. Around 41,000 of the 46,000 attacks fall into this category, according to NETSCOUT's study.
Why are attacks on VPNs and other infrastructure elements so dangerous?
Attacks on network infrastructure and connections are different from direct attacks on individual networks. If such an attack succeeds, then the entire connectivity chain in that sector is threatened or disrupted. What supply chains with trucks or container ships are for the economy, DNS servers, Internet nodes, and VPNs are for the Internet's infrastructure. Failures in this area have far-reaching consequences.
Indeed, in such a case, all users of such a service are affected by the activities of cybercriminals. Although they are not the direct target, the collateral damage is deliberately caused by the attackers. At the same time, such an attack disrupts the connection to online resources. This cuts off the availability of cloud services, for example, and limits the ability of IT security teams to respond to these attacks. This is because they also use connections via VPNs and other infrastructure elements, and if these are not functioning, a quick response is not possible.
What are the targets of connectivity chain attacks?
These activities of cybercriminals are primarily aimed at blocking the relevant services. A successful attack affects hundreds of thousands or even millions of Internet users. The actual disruption of the service is only the first part of the attack. This is followed by blackmail. The hackers threaten to expand the attacks or maintain the blocking of the service if the victim does not comply with the demands.
Moreover, the attackers give a tight timeframe for the extortion to be fulfilled. This increases the chance that the victim will comply with the demand for fear of not responding to the attacks sufficiently quickly. The hackers usually demand a large sum of money, payable via Bitcoin. Cybercriminals primarily use Bitcoin and other digital payment methods because transactions via these cryptocurrencies are untraceable for investigators.
What methods do hackers use when attacking VPNs and other areas of the infrastructure?
When attacking areas of the infrastructure such as VPNs or Internet exchanges, hackers primarily resort to DDoS attacks. This distributed denial of service attack overloads a specific point with excessive requests. DNS servers, for example, are designed to accept and respond to a high number of requests. However, if these requests exceed the maximum that the system is designed to handle, an overload occurs. This initially manifests itself in a significantly increased response time before the system collapses under the requests. Then the service is no longer available. A simple reset and restart are ineffective if the DDoS attack is still active. Because then the DNS server collapses again under the attacks that continue to arrive.
For this reason, botnets are an important part of cybercriminals' activities. To generate this amount of requests, many individual systems are needed. Hackers usually do not have such an infrastructure of their own. Instead, the hackers use hijacked computers for DDoS attacks. A botnet consists of computer systems from all over the world infiltrated with malware. The hackers control the entire botnet centrally and launch DDoS attacks via commands to the hijacked computers. This makes these attacks so difficult to defend against because the attack does not originate from a single system or a unified IP range. At first glance, these are random accesses that have no context. NETSCOUT reports in its Threat Intelligence Report that the maximum attack bandwidth in the first half of 2021 was 307 Gbps.
Another popular method used by hackers, which NETSCOUT's Threat Intelligence Report also mentions, is the DNS Amplification attack. It is similar to the DDoS attack and takes place with botnets' help. What makes it unique is that the queries provoke particularly long responses in this case. For example, DNS requests with a length of 60 bytes trigger a response of 3000 bytes. Here we talk about the amplification factor. This has a factor of 50 to 100 for DNS amplification attacks. What this means for traffic can be illustrated with an example. If the hackers generate a data stream of 200 megabits per second, then a load of 10 gigabits per second can be generated with an amplification factor of 50.
Part of the DNS amplification attack is also IP spoofing. In IP spoofing, the hackers spoof their IP address so that the response goes to a different destination. By doing so, the attackers redirect the DNS server responses to a specific IP address. This is the actual target of the attack. At this point, the network or Internet connection is overloaded. Overloading the DNS server is then just additional collateral damage.
SYN floods also belong to the category of denial-of-service attacks. Hackers use these when attacking Internet nodes. The SYN flood attack uses the TCP transport protocol. Specifically, it involves a weakness in the TCP protocol, or rather the way a connection is established here. The TCP protocol uses a three-way handshake to confirm that a connection has been established. In this case, the client initiates this process with a so-called SYN request. This is followed by acknowledging the SYN packet from the server with an ACK response. The third part of a regular request is now that the client also acknowledges receiving the ACK packet from the server. This establishes the connection. However, systems manipulated by hackers never send the ACK packet. Invulnerable systems, the server now waits for this third part of the connection confirmation. Hackers now, in turn, use botnets to send a large number of these manipulated SYN requests. This causes the attacked server to park vast numbers of half-open connections, leading to congestion. The server becomes unavailable for regular requests, and all services on the server, such as a web server, become unavailable.
Again, there is an amplification or reflection version with IP spoofing. Here, the hackers use many servers to which they send the SYN requests. This is unobtrusive and even overcomes security methods set up against SYN flood attacks. On the other hand, the ACK responses are not sent by the servers to the actual sender but again to a single IP address chosen by the cybercriminals via spoofing. At this point, a massive load now occurs as a large number of ACK packets arrive from the different servers. This leads to an overload of the network or the server, respectively, so that the Internet connection and services fail.
What measures can be taken to prevent attacks on the connectivity chain?
Special measures are needed to defend against such sophisticated activities of cybercriminals. After all, the attacks are not directly illegal activities. In itself, every action, such as a request to a DNS server, is a legitimate action that occurs thousands of times a second in this or a similar form. Likewise, no malware is used directly, such as a Trojan or ransomware, which virus scanners detect.
Instead, measures are needed that deal directly with the requests and their patterns. For example, intelligent firewall solutions can recognize suspicious attack patterns. In these cases, dangerous requests can then be identified before they block the connectivity chain due to a DDoS attack. Proxy servers are another option for responding to the activities of cybercriminals. These are interposed between the actual service and the Internet connection, so all traffic and requests go through the proxy server first. The proxy intercepts the attack while the basic service is protected in a DDoS attack.
One method against IP spoofing is packet filters. These filters control incoming packets at the gateway. If incoming packets indicate a source address of an inside computer, then the packet filter prevents forwarding because this is a clear sign of IP spoofing and activities of cybercriminals. This is how attacks on VPNs can be partially prevented.
SYN flood attacks can be contained on the server-side by recycling half-open TCP connections. The server then automatically terminates the oldest connections, for which it is still waiting for a response. At the same time, the maximum number of half-open connections is restricted. Thus, SYN flood attacks run into the void and no longer affect the reachability of the connectivity chain.
Attacks on VPNs and other areas of the connectivity chain have increased significantly in the recent past, NETSCOUT's Threat Intelligence Report clearly shows. Here, too, the activities of cybercriminals indicate that hackers are becoming increasingly sophisticated. There is a high level of criminal energy behind attacks on VPNs, DNS servers, and other areas of the infrastructure. The attackers' goal is often to extort money from the operators of these infrastructure facilities. Defenses against attacks on the connectivity chain are primarily preventive. Systems can be protected if operators take the appropriate precautions. In addition to the correct configurations of firewalls and packet filters, these include intelligent solutions for early attack detection. In this way, attacks on VPNs, DNS servers, Internet nodes, and similar activities of cybercriminals can be detected before the systems are affected by a DDoS attack.